Linux Security
    Linux Security
    Linux Security

    ArchLinux: 202004-13: git: information disclosure

    Posted By

    The package git before version 2.26.1-1 is vulnerable to information disclosure.

    Arch Linux Security Advisory ASA-202004-13
    Severity: High
    Date    : 2020-04-14
    CVE-ID  : CVE-2020-5260
    Package : git
    Type    : information disclosure
    Remote  : Yes
    Link    :
    The package git before version 2.26.1-1 is vulnerable to information
    Upgrade to 2.26.1-1.
    # pacman -Syu "git>=2.26.1-1"
    The problem has been fixed upstream in version 2.26.1.
    The most complete workaround is to disable credential helpers
      git config --unset credential.helper
      git config --global --unset credential.helper
      git config --system --unset credential.helper
    An alternative is to avoid malicious URLs:
    1. Examine the hostname and username portion of URLs fed to git clone
    for the presence of encoded newlines (%0a) or evidence of credential-
    protocol injections (e.g.,
    2. Avoid using submodules with untrusted repositories (don't use clone
    --recurse-submodules; use git submodule update only after examining the
    URLs found in .gitmodules)
    3. Avoid tools which may run git clone on untrusted URLs under the hood
    Affected versions of Git have a vulnerability whereby Git can be
    tricked into sending private credentials to a host controlled by an
    attacker. Git uses external "credential helper" programs to store and
    retrieve passwords or other credentials from secure storage provided by
    the operating system. Specially-crafted URLs that contain an encoded
    newline can inject unintended values into the credential helper
    protocol stream, causing the credential helper to retrieve the password
    for one server (e.g., for an HTTP request being made
    to another server (e.g.,, resulting in credentials
    for the former being sent to the latter. There are no restrictions on
    the relationship between the two, meaning that an attacker can craft a
    URL that will present stored credentials for any host to a host of
    their choosing.
    The vulnerability can be triggered by feeding a malicious URL to git
    clone. However, the affected URLs look rather suspicious; the likely
    vector would be through systems which automatically clone URLs not
    visible to the user, such as Git submodules, or package systems built
    around Git. The problem has been patched in the versions published on
    April 14th, 2020, going back to v2.17.x. Anyone wishing to backport the
    change further can do so by applying commit 9a6bbee (the full release
    includes extra checks for git fsck, but that commit is sufficient to
    protect clients against the vulnerability). The patched versions are:
    2.17.4, 2.18.3, 2.19.4, 2.20.3, 2.21.2, 2.22.3, 2.23.2, 2.24.2, 2.25.3,
    A remote attacker could trick Git into returning credential information
    for a wrong host by providing a malicious URL.
    ========== email address is being protected from spambots. You need JavaScript enabled to view it./

    LinuxSecurity Poll

    Which aspect of server security are you most interested in learning more about?

    No answer selected. Please try again.
    Please select either existing option or enter your own, however not both.
    Please select minimum 0 answer(s) and maximum 3 answer(s).
    [{"id":"131","title":"Preventing information leakage","votes":"1","type":"x","order":"1","pct":100,"resources":[]},{"id":"132","title":"Firewall considerations","votes":"0","type":"x","order":"2","pct":0,"resources":[]},{"id":"133","title":"Permissions ","votes":"0","type":"x","order":"3","pct":0,"resources":[]}] ["#ff5b00","#4ac0f2","#b80028","#eef66c","#60bb22","#b96a9a","#62c2cc"] ["rgba(255,91,0,0.7)","rgba(74,192,242,0.7)","rgba(184,0,40,0.7)","rgba(238,246,108,0.7)","rgba(96,187,34,0.7)","rgba(185,106,154,0.7)","rgba(98,194,204,0.7)"] 350


    bottom 200

    Please enable / Bitte aktiviere JavaScript!
    Veuillez activer / Por favor activa el Javascript![ ? ]

    We use cookies to provide and improve our services. By using our site, you consent to our Cookie Policy.